Gerald,
I've been working with Form-based authentication for the past several weeks
on iPlanet 6.0. Looking at your web.xml deployment descriptor, it looks
like that's OK. You aren't using a user-data-constraint, but it's not
required either. Check out the J2EE specs and Blueprints for more
information.
I've used subdirectories for securing my pages, but your single JSP URL
should work fine in this situation. It sounds like the form authentication
is being triggered properly and it presenting you the correct form.
However, the Orion form authentication impl. does not seem to forward you
onto the originally requested resource (/SecuredPage.jsp). Is there any
sort of example provided by Orion for testing form-based authentication? I
would try that if one exists. Otherwise, I would submit a bug through the
Orion Bugzilla.
This form-based authentication seems to be a feature that is not well
supported at the moment by other EJB servers. I've been fighting with it in
iPlanet for a while. If I can get a chance some night this week, I'll
attempt to get my example of form-based authentication to work on Orion and
then send out the results to the list.
-- chris --
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Gerald
Gutierrez
Sent: Monday, February 05, 2001 5:52 PM
To: Orion-Interest
Cc: [EMAIL PROTECTED]
Subject: Form-based authentication not working right
Recently I asked about form-based authentication. I appreciate the help
several people gave, but from the responses I got it seems that I might
have miscommunicated somehow. I'm going to try again, this time explaining
myself better.
I'm using Orion 1.4.5 on Windows 2000. The same thing happens on Orion
1.3.8.
I have a number of JSP pages in the directory /app:
MainMenu.jsp -- the main menu
SecuredPage.jsp -- a secured page, see only when authenticated
LoginForm.jsp -- form for logging in
LoginError.jsp -- form displayed when there's an error
The user goes to MainMenu.jsp, where there is a link to SecuredPage.jsp. To
view this page, the user must be authenticated. The authenticated is
form-based.
This is what should (CORRECTLY) happen:
1) User goes to MainMenu.jsp.
2) User clicks on link to SecuredPage.jsp.
3) User is presented with LoginForm.jsp.
4) User types in username and password.
5a) Login succeeds and SecuredPage.jsp is shown to user.
5b) Login fails and LoginError.jsp is shown to user.
HOWEVER, this is the (INCORRECT) sequence of events that I actually get:
1) -- as before --
2) -- as before --
3) -- as before --
4) -- as before --
5a) Login succeeds and directory contents is shown to user.
5b) Login fails and directory contents is shown to user.
Note the same (WRONG) thing happens whether or not the user authenticates
properly. The directory contents is the list of JSP files that I have in
/app.
So ... what's wrong here? It redirects to my login form correctly. It just
doesn't behave properly when I actually do the login (hit
"j_security_check" with "j_username" and "j_password"). This is the
relevant section of my web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>LoginTrigger</web-resource-name>
<description>LoginTrigger</description>
<url-pattern>/SecuredPage.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>LoginForm.jsp</form-login-page>
<form-error-page>LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>myuser</role-name>
</security-role>
